@theokit/sdk 2.8.0 → 2.9.0

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## 2.9.0
+
+### Minor Changes
+
+- 4cbd107: V3-5 — make the eval-harness primitives usable without constructing a `SandboxBackend`. Both default to a `LocalSandbox` when no backend is passed; the explicit-sandbox path is unchanged.
+
+  - `provisionRepo` gains a 1-arg overload `provisionRepo(opts)` (sandbox defaults to a `LocalSandbox`, cloning into the process cwd's `<instanceId>`). The existing `provisionRepo(sandbox, opts)` form is unchanged. Pass an explicit `LocalSandbox({ workDir })` / Docker / E2B backend to control the workdir.
+  - `Scorers.verifyGate` — `VerifyGateOptions.sandbox` is now optional, defaulting to a `LocalSandbox` (workdir-independent: `verifyGate` always `cd`s to the explicit `repoDir`).
+
+  Lets a local execFile-based eval harness adopt these helpers without instantiating a backend it does not otherwise need. Zero new dependency (the default reuses the already-public `LocalSandbox`).
+
 ## 2.8.0
 
 ### Minor Changes

package/dist/eval.cjs

@@ -16193,6 +16193,118 @@ async function llmJudgeScore(options) {
   return parseScore(judgement.text, rubric);
 }
 
+// src/sandbox/types.ts
+var SandboxSecurityError = class extends Error {
+  code = "sandbox_security";
+  constructor(message) {
+    super(message);
+    this.name = "SandboxSecurityError";
+  }
+};
+var SHELL_METACHARACTERS = /[;&|`$(){}]/;
+var SandboxBackend = class {
+  config;
+  constructor(config = {}) {
+    this.config = {
+      workDir: config.workDir ?? "/tmp",
+      timeoutMs: config.timeoutMs ?? 3e4,
+      maxOutputBytes: config.maxOutputBytes ?? 5 * 1024 * 1024
+    };
+  }
+  async readFile(path) {
+    const result = await this.execute(`cat ${this.shellEscape(path)}`);
+    if (result.exitCode !== 0) {
+      throw new Error(`readFile failed: ${result.stderr}`);
+    }
+    return result.stdout;
+  }
+  async writeFile(path, content) {
+    await this.uploadFile(path, content);
+  }
+  async glob(pattern, cwd) {
+    const dir = cwd ?? this.config.workDir ?? ".";
+    const result = await this.execute(
+      `find ${this.shellEscape(dir)} -name ${this.shellEscape(pattern)} -type f 2>/dev/null`
+    );
+    if (result.exitCode !== 0) return [];
+    return result.stdout.trim().split("\n").filter(Boolean);
+  }
+  async grep(pattern, path) {
+    const target = path ?? ".";
+    const result = await this.execute(
+      `grep -rn ${this.shellEscape(pattern)} ${this.shellEscape(target)} 2>/dev/null`
+    );
+    if (result.exitCode !== 0) return [];
+    return result.stdout.trim().split("\n").filter(Boolean);
+  }
+  async listDir(path) {
+    const result = await this.execute(`ls -1 ${this.shellEscape(path)}`);
+    if (result.exitCode !== 0) return [];
+    return result.stdout.trim().split("\n").filter(Boolean);
+  }
+  validateCommand(command) {
+    if (SHELL_METACHARACTERS.test(command)) {
+      throw new SandboxSecurityError(
+        `Command contains shell metacharacters: ${command.slice(0, 80)}`
+      );
+    }
+  }
+  truncateOutput(output) {
+    const max = this.config.maxOutputBytes ?? 5 * 1024 * 1024;
+    if (Buffer.byteLength(output) > max) {
+      return `${output.slice(0, max)}
+...(truncated)`;
+    }
+    return output;
+  }
+  shellEscape(arg) {
+    return shellEscapePosix(arg);
+  }
+};
+
+// src/sandbox/local-sandbox.ts
+var LocalSandbox = class extends SandboxBackend {
+  constructor(config = {}) {
+    super(config);
+  }
+  async execute(command, opts) {
+    const timeout = opts?.timeoutMs ?? this.config.timeoutMs ?? 3e4;
+    const max = this.config.maxOutputBytes ?? 5 * 1024 * 1024;
+    return new Promise((resolve3) => {
+      const child = child_process.execFile(
+        "/bin/sh",
+        ["-c", command],
+        {
+          cwd: this.config.workDir,
+          timeout,
+          maxBuffer: max,
+          encoding: "utf-8"
+        },
+        (error, stdout, stderr) => {
+          resolve3(this.buildResult(error, stdout ?? "", stderr ?? ""));
+        }
+      );
+      child.on("error", () => {
+        resolve3({ stdout: "", stderr: "spawn error", exitCode: 1, timedOut: false });
+      });
+    });
+  }
+  buildResult(error, stdout, stderr) {
+    const timedOut = error !== null && "killed" in error && error.killed;
+    return {
+      stdout: this.truncateOutput(stdout),
+      stderr: this.truncateOutput(stderr),
+      exitCode: timedOut ? 124 : error ? 1 : 0,
+      timedOut
+    };
+  }
+  async uploadFile(path$1, content) {
+    const fullPath = path$1.startsWith("/") ? path$1 : `${this.config.workDir}/${path$1}`;
+    await promises.mkdir(path.dirname(fullPath), { recursive: true });
+    await promises.writeFile(fullPath, content, "utf-8");
+  }
+};
+
 // src/scorers.ts
 var JSON_SHAPE_MAX_BYTES = 1e6;
 function makeStringScorer(name, caseSensitive, compare) {
@@ -16296,7 +16408,7 @@ var Scorers = {
    * that rejects shell metacharacters in `execute` is unsupported for this scorer.
    */
   verifyGate(opts) {
-    const { sandbox, repoDir, failToPass, passToPass, command } = opts;
+    const { sandbox = new LocalSandbox(), repoDir, failToPass, passToPass, command } = opts;
     return {
       name: "verify-gate",
       score: async () => {